This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Prevent Credential Phishing with UPN (userPrincipalName)

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Prevent Credential Phishing with UPN (userPrincipalName)

fhu_omi
L1 Bithead

‎06-29-2022 02:14 AM

Hi World,

 

I'm have my first contact with this Prevent Credential Phishing feature. With the option "IP User", because UserID Mapping is already in place, i'm able to detect sAMAccountName Username submissions. But a lot of phishing sites are focused on the UPN, but the UPN username filed submission is not detected by the firewall.

sAMAccountName is our primary Username in the group mapping settings and alternate Username 1 is the UPN.

 

If possible how can we detect username fields submissions with UPN or sAMAccountName. Perhaps it is possible with Domain Credential Filter setting, but we do not have an RODC at the moment, but if it is the only option to cover both username types, the i'm also happy to know that.

 

I hope somebody can help, the PAN documentation does not cover this topic.

 

Kind regards

 

0 Likes Likes
2 REPLIES 2

aleksandar.astardzhiev
Cyber Elite
Cyber Elite

‎07-22-2022 09:49 AM

Hi @fhu_omi ,

Have you consider the option to create additional Group-Mapping profile with UPN as primary username.

And configure Credential Protection with "User Group Mapping" setting.

0 Likes Likes

fhu_omi
L1 Bithead
In response to aleksandar.astardzhiev

‎08-15-2022 06:12 AM - edited ‎08-15-2022 06:35 AM

Hi @aleksandar.astardzhiev ,

 

this does not work see kb https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClFQCA0 is written: When multiple group-mappings are configured with same base dn or ldap server, each group-mapping must include non-overlapping groups i.e include group list must not have any common group.

 

But for test purpose, you need to considering, that not every web serivce is protected by the user credential protection. If the traffic is classified as one of the following services, then user credential prevention does not pop in:

https://live.paloaltonetworks.com/t5/customer-resources/trusted-app-ids-that-skip-credential-submiss...

 

i test on facebook login site, which is protected by the pan user cred prevention. i have a UPN estuser1@testdomain.com and SAM testuser1.

 

And PAN blocks as soon the string testuser1 is seen in a username field:

 

testuser1 -> detected

testuser1@ -> detected

testuser1@testdomain.com -> detected

testuser1@blabla.com -> detected

testuser12 -> not detected

testuser12@ -> not detected

 

i looks like, the domain is not checked for this Group Mapping credential submit method.

I need now to setup a RODC to check the behaviour with the Domain Credential Filter method.

 

Kind regards

0 Likes Likes
  • 1638 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks